controlling polyvariance for specialization-based verification · controlling polyvariance for...
TRANSCRIPT
Controlling Polyvariance forSpecialization-Based Verification
Fabio Fioravanti (Univ. D’Annunzio, Pescara, Italy),
Alberto Pettorossi (Univ. Tor Vergata, Rome, Italy),
Maurizio Proietti (IASI-CNR, Rome, Italy),
Valerio Senni (Univ. Tor Vergata, Rome, Italy)
CILC 2011, Pescara August 31 - September 2, 2011
Forward Reachability
Verification via Reachability
Backward Reachability
Initial States Unsafe States
?...t t2
Initial States Unsafe States
?... t-1t-2
= ∅ safety
≠ ∅ unsafety
= ∅ safety
≠ ∅ unsafety
t!
t-!
Bw:
(I’s) unsafe " init1(X) ∧ bwReach(X)
!
(T’s) bwReach(X) " t1(X,X’) ∧ bwReach(X’)
!
(U’s) bwReach(X) " u1(X)
!
Theorem:
The system is safe iff unsafe M(Bw) ≃ (SBw)#!
A ! A " c with c ! satisf.
Backward Reachability as a Constraint Logic Program
∈
An Example of System Verification
init(<X1,X2>): X1$1 ∧ X2=0
t(<X1,X2>, <X’1,X’2>): X’1= X1+X2 ∧ X’2= X2+1
u(<X1,X2>): X2>X1
<X1,X2>
X’1= X1+X2
X’2= X2+1
Bw:
1. unsafe " X1$1 ∧ X2=0 ∧ bwReach(X1,X2)
2. bwReach(X1,X2) " X’1= X1+X2 ∧ X’2= X2+1 ∧ bwReach(X’1,X’2)
3. bwReach(X1,X2) " X2>X1
Unfortunately, the computation of M(Bw) does not terminate.
Verification via Specialization:
(A) Bw SpBw
(B) unsafe M(SpBw)∈
Specialization via Unfold/Definition/Fold
def-intro:
4. new1(X1,X2) " X1$1 ∧ X2=0 ∧ bwReach(X1,X2)
fold:
1f. unsafe " X1$1 ∧ X2=0 ∧ new1(X1,X2)
unfold:
4u. new1(X1,X2) " X1$1 ∧ X2=0 ∧ X’1=X1 ∧ X’2=1 ∧ bwReach(X’1,X’2)
def-intro:
newp(X’1,X’2) " X’1$1 ∧ X’2=1 ∧ bwReach(X’1,X’2)
fold: ...
unfold: ...
def-intro:
newq(X”1,X”2) " X”1$1 ∧ X”2=2 ∧ bwReach(X”1,X”2)
!
Nontermination of specialization
0
1
2
!
Need for Generalization
def-intro:
5. new2(X1,X2) " X1$1 ∧ X2$0 ∧ bwReach(X1,X2) (generalization)
4uf. new1(X1,X2) " X1$1 ∧ X2=0 ∧ X’1$X1 ∧ X’2=1 ∧ new2(X’1,X’2)
From 5 by unfold-fold:
6. new2(X1,X2) " X1$1 ∧ X2$0 ∧ X’1=X1+X2 ∧ X’2=X2+1 ∧ new2(X’1,X’2)
7. new2(X1,X2) " X1$1 ∧ X2>X1
SpBw: 1f, 4uf, 6, 7.
Specialization has terminated (due to generalization).
The computation of M(SpBw) terminates:
unsafe M(SpBw)
new1(X1,X2) " false
new2(X1,X2) " X1$1 ∧ X2>1
∈
A Different Specialization
new2 is more general than new1: use new2, instead of new1.
SpBw1:
1f’. unsafe " X1$1 ∧ X2=0 ∧ new2(X1,X2)
6. new2(X1,X2) " X1$1 ∧ X2$0 ∧ X’1=X1+X2 ∧ X’2=X2+1 ∧ new2(X1,X2)
7. new2(X1,X2) " X1$1 ∧ X2>X1
SpBw1: 1f, 6, 7.
Fold “immediately”: use of new1 and new2.
More polyvariance (SpBw).
Fold at the end “with a maximally general definition”: use of new2 only.
Less polyvariance (SpBw1).
Polyvariance depends on generalization and folding and
affects the specialization time and the size of the specialized
program (and thus, the computation of the M(SpBw)).
!
Constructing the Definition Tree: DefsTree
D1 Dk
{I1} {Ik}...
D
B1 Bh-1
...
Bh
Unfold using T’s and U’s: ...
Generalize:
constrainedfacts
G1 Gh-1
...
Stop if node D occurs earlier in DefsTree.
D
G1 Gh-1
B1 Bh-1...
a generic node D:
Partition of clausesinto blocks:
Initialization:
DefsTree for Our Verification
!
D1: 4. new1(X1,X2) " X1$1 ∧ X2=0 ∧ bwReach(X1,X2)
D1
{1}
Initialization:
4u. new1(X1,X2) " X1$1 ∧ X2=0 ∧ X’1=X1 ∧ X’2=1 ∧ bwReach(X’1,X’2)
5. new2(X1,X2) " X1$1 ∧ X2$0 ∧ bwReach(X1,X2)
D2: 5. new2(X1,X2) " X1$1 ∧ X2$0 ∧ bwReach(X1,X2)
{4u}
Unfold:
Generalize (ch+widen):
Generalization: (Convex-Hull and) Widen
X1$1 ∧ X2%0 ∧ X2$0
previous definition D1 :
X1$1 ∧ X2%1 ∧ X2$1
unfold (renaming X’i / Xi):
Convex-Hull
X1$1 ∧ X2 $0 ∧ X2 % 1
banc (X1,X2):
X1$1 ∧ X2%0 ∧ X2$0
previous definition D1 :
Widen
X1$1 ∧ X2$0
Another generalization operator: (Convex-Hull and) WidenSum.
It takes into account the coefficients of the variables (in our case: 1).
Input: program Bw
Output: program SpBw such that unsafe ∈ M(Bw) iff unsafe ∈ M(SpBw)
Initialization: DefsTree := {T"D1,...,T"Dk}
while there exists a definition D in DefsTree which does not occur earlier
do - unfold using Ti’s and U
i’s and derive UnfD;
- definition introduction:
Partition(UnfD, {B1,..., Bh}) ;
Generalize(D, Bi, DefsTree, Gi) and derive a new DefsTree
od
Fold(DefsTree, SpBw)
Generic Specialization Algorithm
blocks
a generalized definition
UnfD: clauses C1, ... , Cm, Cm+1, ... , Cn
1. Singleton: {C1}, ... , {Cm}
2. Finite Domain: clauses Ci and Cj in the same block iff con(Ci)|X’ ≃fd con(Cj)|X’
3. All: {C1, ..., Cm}
Various Partition Operators
(constrained facts)
e.g., X’1=a ∧ X’2=a ≃fd X’1=a ∧ X’2=X’1
Partition:
(m blocks)
(one block)
!"
Technique by
Partition Generalization Folding
Cousot-Halbwachs: Finite-Domain Widen
Peralta-Gallagher: All Widen Maximally General
FPPS (Lopstr 2010): Singleton Widen (or WidenSum) Immediate
our new1-new2: Singleton Widen Immediate
our new2: Singleton Widen Maximally General
Reconstructing Known Techniques
No-Specializat. All_Widen Singleton_WidenSum
Bakery 4 130 Im 19 (6) 101 (1745)
MG 19 (6) 77 (1172)
Ticket 2 & Im & 0.02 (11)
MG & 0.02 (11)
Futurebus+ 15 Im 17 (6) 2.4 (19)
MG 15 (3) 2.2 (15)
McCarthy91 & Im 4.13 (5) & MG 4.12 (3) &
Verification of System: Backward Reachability
!"
29 protocols: 20 verified MG 21 verified 27 verified
Similar results for Forward Reachability.
Times in milliseconds.
Number of definitions
between parentheses.
& means more than
200 seconds
! A generic specialization algorithm reconstructing various
techniques known in the literature (plus new ones), depending on:
- partition operators (singleton, all, ...)
- generalization operators (widen, ...)
- folding procedure (immediate, maximally general)
! Specialization improves precision (i.e., the number of verified
properties or systems) but may increment verification time
! Polyvariance control may allow fewer definitions and shorter
verification times at the expense of possible loss of precision.
Conclusions
An implementation in SICStus Prolog as a module of
the MAP transformation system.
http://map.uniroma2.it/mapweb
Tool
- Perform more system verifications and check scalability of the approach.
- Use of polyvariance control outside the scope of the verification of reactive
systems.
Future Work
References
E. M. Clarke, O. Grumberg, and D. Peled. Model Checking. MIT Press, 1999.
P. Cousot and N. Halbwachs. Automatic discovery of linear restraints among
variables of a program. In Proceedings of the Fifth ACM Symposium on Principles
of Programming Languages (POPL'78), 84-96. ACM Press, 1978.
F. Fioravanti, A. Pettorossi, M. Proietti, and V. Senni. Program specialization for
verifying infinite state systems: An experimental evaluation. In Proceedings of
LOPSTR '10, LNCS 6564, 164-183. Springer, 2011.
M. Leuschel, B. Martens, and D. De Schreye. Controlling generalization and
polyvariance in partial deduction of normal logic programs. ACM Transactions on
Programming Languages and Systems, 20(1):208-258, 1998.
J. C. Peralta and J. P. Gallagher. Convex hull abstractions in specialization of CLP
programs. In Proceedings of LOPSTR '02, LNCS 2664, 90-108. Springer, 2003.